Strategy Bug Bounty Program

How to Make a Submission 

To make a submission, report the vulnerability directly and exclusively to us by contacting us through the Security Vulnerability Reporting Portal with the following information: 

• Summary: A detailed summary of the vulnerability, ensuring the steps taken to discover the vulnerability are clear and reproducible by our team. Summary must include: 

• Type of issue 

• Location 

• Product 

• Version (if known) 

• Configuration of any software, as appropriate 

• Instructions: Step-by-step instructions necessary to reproduce the issue or vulnerability including screenshots if applicable 

• Severity: Estimated severity and/or impact of the issue, if any

• Attachments: Any relevant attachments 

Targets 

Any software published by Strategy on https://community.microstrategy.com/s/products or web domains owned by Strategy are in scope for our Bug Bounty program. 

To enable researchers to get hands-on inside the Strategy Software, Strategy provides the following environments for security researchers to use for authenticated testing.  All data in these environments is wiped periodically. 

Strategy Library: https://bugbounty.cloud.microstrategy.com/MicroStrategyLibrary/ 

Strategy Web: https://bugbounty.cloud.microstrategy.com/MicroStrategy/ 

To access the application, use a Gmail account to log in via OIDC. 

This is a shared environment, with each researcher having their own account and space in the application. 

What You Can Expect from Us

We take every disclosure seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Strategy and the broader Internet community. We will investigate every disclosure and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.

Strategy will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:

• Time to first response (from report submit date) = 5 business days

• Time to triage (from report submit date) = 15 business days

• Time to bounty (from triage date) = 30 business days

Researchers will be kept informed about our progress throughout the process.

Compensation 

Please note these are general guidelines and that reward decisions are in Strategy's sole discretion. Bounty payments are based on multiple factors including clarity of submission and vulnerability impact. 

Typical bounty payments by CVSS v4.0: 

• Critical (9.0 - 10.0) = $500 - $2,000 

• High (7.0 - 8.9) = $500 - $1,000 

• Medium (4.0 - 6.9) = $200 - $500 

• Low (0.1 - 3.9) = $20 - $200 

Payments will be via PayPal. 

Duplicate Reports 

When multiple researchers report the same vulnerability, only the first Submission will be eligible for a reward (if it meets all other requirements). Multiple vulnerabilities caused by one underlying issue will be eligible for only one award. Vulnerabilities already known by Strategy are not eligible for an award. Strategy's decision on eligibility and the amount of any award are final and binding.

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider the attack scenario / exploitability and the security impact of the bug. The following issues are considered out of scope and will be ineligible for an award (this list is subject to change at any time): 

• Any Strategy developed software and third-party software that is End of Life or no longer supported 

• HTML injection and Self-XSS 

• Open redirects 

• Missing cookie flags 

• SSL/TLS best practices 

• Information disclosures 

• Mixed content warnings 

• Denial of Service attacks and Distributed Denial of Service attacks 

• Host header and banner grabbing issues 

• Clickjacking with no sensitive actions 

• UI redressing 

• Missing CSFR token 

• Any non-Strategy applications or assets, unless it's a Strategy modified or branded version 

• Missing security-related HTTP headers which do not lead directly to a vulnerability 

• Internal pivoting, scanning, exploiting, or exfiltrating data from internal Strategy systems 

• Attacks requiring MITM or physical access to a user's device 

• Comma Separated Values (CSV) injection without demonstrating a vulnerability 

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS 

• Account/e-mail enumeration 

• Reflected file download attacks 

• Incomplete or missing SPF/DKIM 

• Physical or social engineering attacks 

• Results of automated tools or scanners 

• Recently disclosed 0-day vulnerabilities 

• Login/logout/unauthenticated/low-impact CSRF 

• Presence of autocomplete attribute on web forms 

• CVE's affecting outdated browsers or platforms 

• Using unreported vulnerabilities to find other bugs 

• Self-exploitation (i.e. password reset links or cookie reuse) 

• Issues related to networking protocols or industry standards 

• XSS in Flash files not developed by MicroStrategy, e.g. third-party ads 

• Use of a known-vulnerable library (without proof of exploitability) 

• Descriptive/verbose/unique error pages (without proof of exploitability) 

• Clickjacking or UI Redressing attack 

• Brute force attacks 

• XSS in HTML containers 

• Broken link hijacking 

• Reporting the disclosure of publicly accessible files or directories (like .htaccess, robots.txt, etc.) 

• Issues found in third-party services or components 

• Software version disclosure without POE. 

• Lack of certificate pinning or HSTS 

• Missing Secure or HTTPOnly flags on cookies 

• Lack of rate-limiting 

• Tapjacking 

• Tabnabbing 

Eligibility 

You are eligible to participate in Strategy's bug bounty program only if you are approved by Strategy, you are 18 years of age or older, you are participating in your individual capacity, and none of the following criteria exist: 

• You are on a United States sanction list or reside in a country under United States sanctions or that prohibits participation in a program like this 

• Your employment, contractual, or similar obligations prohibit your participation 

• You or an immediate family member is a Strategy employee (or was in the six months before your Submission) 

• You failed to comply with the Program Terms 

• Making payment of a bounty to you is prohibited by a law, regulation, ethics rule, contract, or similar basis 

Strategy retains the sole discretion to determine eligibility. If we determine that your Submission is eligible and offer an award, we will notify you of the amount and provide you with paperwork that must be completed before we can provide the award payment. 

Disclaimers/Prohibited Activities 

For the avoidance of doubt, the following activities are expressly prohibited: 

• Downloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Strategy data or data belonging to Strategy's business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Strategy (collectively, Strategy Data) 

• Hacking, penetrating, or otherwise attempting to gain unauthorized access to Strategy applications, systems, or Strategy Data in violation of the Program Terms or applicable laws 

• Strategy will not accept reports where the proof of concept is demonstrated on a third-party website. 

• Engaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing 

• Mass creation of accounts to perform testing against Strategy applications and services 

• Conducting physical attacks against any Strategy assets (e.g., Strategy facilities and any equipment within Strategy facilities) 

• Disrupting or otherwise adversely affecting Strategy's business, the operation of any Strategy applications or systems, or the use and protection of Strategy Data 

Strategy reserves all rights and potential claims with respect to any such prohibited activities. 

Researcher Do's and Dont's 

Do 

• Research and make reports in good faith while working collaboratively with Strategy 

• Respect our customers' and employees' privacy 

• Only interact with accounts you own or have express permission to use 

• Only include one vulnerability per report, unless vulnerabilities must be chained to show the impact 

• Include detailed reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward 

• Verify all reports before submission 

• Contact us if you are uncertain whether to continue testing the potential vulnerability or have any other questions 

• Report potential vulnerabilities directly and exclusively to us 

Do Not 

• Leave any system in a more vulnerable state than you found it 

• Perform any actions that require contact with Strategy employees or customers (other than the Strategy technical teams administering the bug bounty program) 

• Harm or exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability 

• Intentionally access any Strategy Data except to the extent necessary to prove that a vulnerability exists or to identify an indicator related to a vulnerability 

• Compromise the privacy or safety of any Strategy employees, customers, or other third parties 

• Compromise the intellectual property or other commercial or financial interests of any Strategy companies, employees, customers, or other third parties 

Confidentiality

Unless Strategy provides you with written consent to share information with us through your Submission. All information regarding a Submission must be kept confidential and may not be shared in any way outside of the Strategy program, including discussions related to our program or any vulnerabilities (even if resolved).